1 / 20

How (not) to use your firewall

How (not) to use your firewall. Jurjen N.E. Bos Information Security Consultant. Overview. Introduction Principles of information security Strengths and weaknesses of a firewall Basic principles Conclusion. Introduction.

ownah
Download Presentation

How (not) to use your firewall

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How (not) to use your firewall Jurjen N.E. Bos Information Security Consultant

  2. Overview • Introduction • Principles of information security • Strengths and weaknesses of a firewall • Basic principles • Conclusion Jurjen N.E. Bos

  3. Introduction • A firewall, originally, is a wall that prevents spreading of fire through a building • More generally, it isolates things in case of hazard • Specifically, we will discuss isolating the Internet from a company network Jurjen N.E. Bos

  4. A firewall Internet Firewall LAN Jurjen N.E. Bos

  5. Principles of information security • What do you want to protect? • Your data • secrecy • reliability • availability • Your hardware • Your reputation Jurjen N.E. Bos

  6. What do you want your firewall to do? • Increase security • Simplify maintenance of network • Save money • Be user friendly and non-disruptive Jurjen N.E. Bos

  7. What can your firewall do • A firewall protects your company LAN against • known threats • coming from outside • via the firewall • at connection level • by making things harder to use. Jurjen N.E. Bos

  8. What can’t your firewall do • Solve your security problem • Protect against viruses • Protect data that doesn’t flow through it • Be “user friendly” • Protect against every threat • Protect against attacks from the inside Jurjen N.E. Bos

  9. Examples • A firewall does not protect against viruses • There’s a new example every month • A firewall does not protect against unknown attacks • Firewall-1 DOS attack: July 2000 • A firewall makes life harder • If you had no front door lock, you wouldn’t have to stay home for the heating repairman. Wouldn’t that be convenient? Jurjen N.E. Bos

  10. Maintaining a firewall • Most attacks are published in enough detail that people can figure out for themselves how to attack your machines. • Install your system properly • Read the news on known holes (e.g. SANS), and download the patches • Watch out for fake patches • Watch out for reliability of your machines • Read your log files Jurjen N.E. Bos

  11. A firewall is not a machine • A firewall does not only consist of the firewall host machine, but also of: • A security model • A list of firewall settings (e.g., allowed services) • Procedures to maintain the firewall host machine • An operator or group of operators • A list of guidelines Jurjen N.E. Bos

  12. Basic rules • A few trivial but important rules for security maintenance: • Use multiple layers of protection • Keep it simple • “No, unless” instead of “Yes, if” • Monitor your systems • Not only the firewall, but also the network behind it • Decide on your security model • Risk analysis is a very useful tool Jurjen N.E. Bos

  13. Layers of protection A B A B C C Jurjen N.E. Bos

  14. Protocol stack User Layer Word, PDF Application Layer SMTP, FTP, Telnet Transport Layer TCP, UDP, ICMP Internet Layer IP Network Access Layer Ethernet, ATM Jurjen N.E. Bos

  15. Example: firewall settings • Allow useful low risk services: SMTP, POP (mail) , NNTP (news), HTTP (surfing) • If you really need it, allow services like DNS (naming), IRC (chat), MBONE (video conferencing and the like) • Don’t allow games, NTP(time), RIP, OSPF (routing), SNMP (management), NIS, WINS (naming) Jurjen N.E. Bos

  16. Train your users • Users must know basic things in order to make effective use of security measures: • The Internet is unreliable. • Security through obscurity doesn’t work (they won’t notice I have all my passwords in a file called “secret”). • Social engineering is hard to recognise. • I recommend to write a guidelines document for Internet usage. Jurjen N.E. Bos

  17. Guidelines for users • Things to consider putting in a guidelines document: • Use the connections that are available • No own phone connections, for example • No downloading of objectionable material • Filters annoy “good” users, and don’t stop “bad” users • Don’t trust the outside world • Social engineering is a serious threat • Digital data is often more valuable than physical objects Jurjen N.E. Bos

  18. Useful literature • There are a zillion books about information security out there. The ones I read recently and liked: • Elizabeth D. Zwicky, Simon Cooper and D. Brent Chapman: “Building Internet Firewalls”, second edition, O’Reilly • Bruce Schneier: “Secrets and Lies” Jurjen N.E. Bos

  19. Conclusion • Basic rules of using any security system: • Don’t trust anything • Don’t put all your eggs in one basket • Attacks may come from everywhere • Know what you want to protect • Use the simplest protection that protects it • Train your users • Stay alert Jurjen N.E. Bos

  20. How to make a firewall useless • Trust your users • Use the default installation • Use a sophisticated self designed system that locks out everything dangerous • Assume the firewall will protect you forever Jurjen N.E. Bos

More Related